In the Apple world, the account that controls access to all your Apple-related online services is the Apple Account (formerly known as an Apple ID). Buying apps from the App Store, putting photos in iCloud Photos, and sharing data between iCloud-enabled apps—all these actions rely on your Apple Account. If you’re a regular Apple user, you have an Apple Account associated with your email address.
Most Apple users set up an Apple Account when they configure their first Apple device, and if you don’t have an email address that you want to use, you can create a free @icloud.com address during the process. (If you need to create a new Apple Account, you can do that at account.apple.com.) Some users may have accounts ending in @mac or @me, which were previously available when signing up for your Apple Account.
There are actually two types of Apple Accounts: Apple Accounts used by individual users and Managed Apple Accounts given to employees by businesses and other organizations. Managed Apple Accounts are popular with our business clients that give devices to staff members and need to ensure compliance with various usage and security policies. Let’s look at how they differ:
- Creation, ownership, and control: Individuals set up Apple Accounts on their own and maintain full ownership over the account and control over the device. Managed Apple Accounts are set up by the organization, typically through Apple Business Manager, and the organization retains ownership and control for centralized management. That control is essential when an employee leaves. Otherwise, a company may be unable to reset a returned device and give it to another employee.
- Access to Apple services: Apple Accounts have full access to all Apple services and features. Managed Apple Accounts have much more limited access to protect the organization from unauthorized purchases and insecure behavior. Users with Managed Apple Accounts can’t purchase anything from the App Store, iTunes Store, or Apple Books. Nor can they access Apple Arcade, Apple Fitness+, Apple Music, Apple Music radio, Apple News+, or Apple TV+. The Find My, Health, Home, Journal, and Wallet apps aren’t available or fully functional. Plus, Apple Pay, iCloud Family Sharing, iCloud Mail, and iCloud+ services like Private Relay, Hide My Email, and custom email domains are unavailable.
- Security and management: When a device relies on an Apple Account, that user is responsible for maintaining security and managing apps (which will belong to the user). That’s appropriate for individuals, but for companies that need to protect corporate information, Managed Apple Accounts allow the IT department to enhance security by requiring passcodes, enforcing password policies, setting role-based permissions, and separating work and personal data. On the management side, Managed Apple Accounts make it easier to reset devices, revoke access, comply with legal and privacy regulations, integrate with corporate identity systems, and centralize app licensing.
Though some organizations may prevent it, it is technically possible to use both types of Apple Accounts on the same device. For instance, you could use a Managed Apple Accounts on an employer-provided device along with an Apple Account to access the App Store, Apple Music, Apple News+, and other Apple services. To do that on an iPhone, you’d go to Settings > Your Name > Media & Purchases and either sign in with your Apple Account or, if necessary, tap Sign Out and sign back in.
What’s the takeaway? There are three possibilities, depending on who owns the device and the employer’s security and management policies:
- Personal device not used for work: If you’re a regular user who has purchased your own device and you either don’t use it for work or your employer doesn’t care what you do, all you need is a single Apple Account. Although it’s possible to create multiple Apple Accounts and use them for different purposes, it’s a recipe for confusion down the road.
- Personal device used for work: If your employer has a BYOD (Bring Your Own Device) program that lets you use your own device with corporate resources, they will likely ask to use Apple’s User Enrollment to create a profile on the device that separates personal and work data and allows the use of both an Apple Account and a Managed Apple Account. Although the IT department cannot access your personal data (emails, messages, photos, location, etc.), it can enforce security policies, install and configure work-related apps, and control corporate data on the device. Some people find the privacy implications of this approach troubling and opt for separate work and personal devices.
- Employer-provided device: If your employer provides a device for your use, they will likely require you to use a Managed Apple Account on it. That prevents you from having to worry about security or management, but comes with some restrictions on what you can do. Talk to your IT department if you also want to use your Apple Account on the device.
Hopefully, we’ve clarified the situation surrounding an Apple Account and a Managed Apple Account. Which makes the most sense in any given situation depends on a wide range of variables, so contact us if you need to talk through the possibilities as either an employee or employer.
(Featured image based on an original by iStock.com/dolgachov)
